{{ ansible_managed | comment }}

server inner-aurore {

    authorize {
        linelog_inner_authz_user
        filter_username
        filter_inner_identity
        split_username_nai
        # Don't proxy requests from inner tunnel
        update control {
            Proxy-To-Realm := LOCAL
        }
        # Must be before 'ldap', so that we don't query the LDAP server
        # for "internal" packets (cf. documentation for
        # sites-available/inner-tunnel)
        eap_inner {
            ok = return
        }
        ldap
        # See https://github.com/FreeRADIUS/freeradius-server/blob/master/doc/antora/modules/howto/pages/modules/ldap/authentication.adoc
        if ((ok || updated) && &User-Password) {
            update control {
                Auth-Type := ldap
            }
        }
        pap
    }

    authenticate {
        eap_inner
        # Authenticate using 'Auth-Type = LDAP'
        # This is not recommended by FreeRADIUS (cf. documentation for
        # sites-available/default), but the password hashing scheme used
        # by 389DS is not yet supported by FreeRADIUS 3
        # (cf. https://github.com/FreeRADIUS/freeradius-server/issues/2649)
        ldap
    }

    post-auth {
        if (&reply:Tunnel-Private-Group-ID) {
            update outer.session-state {
                Tunnel-Private-Group-ID := &reply:Tunnel-Private-Group-ID
            }
        }
        linelog_inner_postauth
        Post-Auth-Type reject {
            update outer.session-state {
                &Module-Failure-Message := &request:Module-Failure-Message
            }
            linelog_inner_postauth
        }
    }

}